Do Distributed Differentially-Private Protocols Require Oblivious Transfer? Vipul Goyal∗ Dakshita Khuranay Ilya Mironovz Omkant Pandeyx Amit Sahai{ Abstract We study the cryptographic complexity of two-party differentially-private protocols for a large natural class of boolean functionalities. Information theoretically, McGregor et al. [FOCS 2010] and Goyal et al. [Crypto 2013] demonstrated several functionalities for which the maximal possible accuracy in the distributed setting is significantly lower than that in the client-server setting. Goyal et al. [Crypto 2013] further showed that “highly accurate” protocols in the dis- tributed setting for any non-trivial functionality in fact imply the existence of one-way functions. However, it has remained an open problem to characterize the exact cryptographic complexity of this class. In particular, we know that semi-honest oblivious transfer helps obtain optimally accurate distributed differential privacy. But we do not know whether the reverse is true. We study the following question: Does the existence of optimally accurate distributed differ- entially private protocols for any class of functionalities imply the existence of oblivious transfer? We resolve this question in the affirmative for the class of boolean functionalities that contain an XOR embedded on adjacent inputs. ◦ We construct a protocol implementing oblivious transfer from any optimally accurate, dis- tributed differentially private protocol for any functionality with a boolean XOR embedded on adjacent inputs. ◦ While the previous result holds for optimally accurate protocols for any privacy parameter > 0, we also give a reduction from oblivious transfer to distributed differentially private protocols computing XOR, for a constant small range of non-optimal accuracies and a constant small range of values of privacy parameter . At the heart of our techniques is an interesting connection between optimally-accurate two- party protocols for the XOR functionality and noisy channels, which were shown by Crépeau and Kilian [FOCS 1988] to be sufficient for oblivious transfer. ∗Microsoft Research India, Bangalore. Email: [email protected]. yUCLA and Center for Encrypted Functionalities. Email: [email protected]. zEmail: [email protected]. Work done while at Microsoft Research. xUniversity of California, Berkeley. Email: [email protected]. {UCLA and Center for Encrypted Functionalities. Email: [email protected]. 1 Introduction Differential privacy [Dwo06, DMNS06, DN04, DN03] has become one of the most well-studied and popular privacy notions in recent years1. It provides powerful input privacy guarantees to participants of a statistical query database. Informally a randomized function computed on a database is said to be differentially private, if the output distribution induced by the presence of a particular record is statistically close to the distributed induced when the record is absent. While maintaining privacy of participants, any differentially private algorithm must also guarantee some meaningful accuracy. Consider a confidential dataset owned by a trusted server. The server must release the outcome of some statistic evaluated on the dataset, to an untrusted client. Even in this setting, where privacy is a concern only at the server’s end, there is an evident tradeoff between privacy and accuracy. In fact, for any given privacy parameter , there is a maximum possible accuracy (which we call the optimal accuracy) such that any algorithm with better than optimal accuracy will fail to remain differentially private. Privacy-accuracy tradeoffs are reasonably well-understood in the client-server setting [DN03, DMT07, DY08, KRSU10]. There has also been a huge body of work in designing algorithms that achieve close to optimal accuracies for various functionalities and data mining tasks in the client-server setting. The focus of this work is the distributed setting, where the database is jointly hosted by multiple mutually distrusting servers. This setting was first studied by Dwork et al. [DKM+06]. As an illustrative example, consider two hospitals which together wish to compute the correlation between the occurrence of smoking and lung cancer by taking into account their combined patient records. In this setting, we require the servers to engage in a protocol, at the end of which the privacy of each record of both the servers is guaranteed without a significant loss in accuracy. Note that the privacy requirements must be met for both servers, given their entire view of the protocol transcript, not just the computed output; possibly necessitating an additional loss in accuracy (over and above the loss in the client-server setting). The intuition that the distributed setting would necessitate a greater accuracy loss than the client-server setting has been proved to be correct in the information theoretic world for different classes of functions in various works. Beimel, Nissim and Omri [BNO08] showed accuracy limits for distributed differentially-private protocols for n parties each holding their own inputs. McGregor, Mironov, Pitassi, Reingold, Talwar and Vadhan [MMP+10] showed large accuracy gaps in the two- party setting for several natural functionalities with n-bit inputs. Goyal, Mironov, Pandey and Sahai [GMPS13] demonstrated a constant gap between the maximal achievable accuracies in the client-server and distributed settings for any non-trivial boolean functionality. In the computational setting this gap vanishes, if a semi-honest protocol for oblivious transfer exists. In this case, both servers can use secure multi-party computation [GMW87] to simulate the client-server differentially private function evaluation, thereby achieving optimally accurate output evaluated on the union of their databases. Although this assumption is sufficient, it is not clear whether this assumption is necessary as well. Indeed, there has been a separate line of work, starting with Haitner, Omri and Zarosim [HOZ13] demonstrating black-box separations between one-way functions and distributed differentially pri- vate algorithms with optimal accuracies, for two-party n-bit functionalities. Khurana, Maji and Sahai [KMS14] showed a black-box separation between public-key encryption and distributed dif- ferentially private algorithms with optimal accuracies for two-party boolean functionalities. In fact, these separations also extend to a range of non-optimal accuracies that are information theoretically 1See [Dwo11] for a survey of results. 1 impossible to achieve in the distributed setting. These results provide evidence that some “strong” cryptographic assumption is likely to be necessary for optimally accurate distributed differentially private function evaluation. Despite the above research, the following question has remained elusive: “Does there exist any class of functionalities whose distributed differentially private evaluation with optimal accuracy, necessitates the existence of oblivious transfer?” We prove that any protocol to compute the boolean XOR functionality in a distributed differ- entially private manner with optimal accuracy and overwhelming probability of agreement (on the output) between both parties, implies the existence of oblivious transfer. Our result also directly lends itself to any boolean functionality that contains an embedded XOR on two adjacent inputs. Roughly, a function f is said to contain an embedded XOR if and only if the ideal functionality for f can be used to compute the boolean XOR functionality in the semi-honest setting. We give a formal definition of what it means for a function to contain an embedded XOR, later in the paper. Interestingly, in the setting of secure computation, the ideal XOR functionality is known to be trivial. This is because the output of the functionality combined with the input of any individual party reveals completely, the input of the other party. Thus, parties can simply send each other their inputs – this corresponds to a secure evaluation of the XOR functionality. However, an optimally accurate distributed differentially private (noisy) protocol for XOR is not trivial, in fact we show that it gives oblivious transfer. Furthermore, our proof of security crucially relies on the fact that an ideal (non-noisy) XOR is fully informative about the input of the other party. Relationship between Differential Privacy and MPC. It is interesting to observe the “philo- sophical” differences between the requirements of differential privacy and secure computation: ◦ In (computationally) differentially-private protocols, “privacy comes first.” We would like to first ensure privacy of each individual input and then with this constraint, would like to compute an output which is as accurate as possible. ◦ In secure computation, “accuracy comes first.” We would like to release an accurate output to the function we are computing first and then with this constraint, would like to ensure privacy of the inputs to the extent possible. This leads to the notion of simulation: the transcript leaks no information about the inputs beyond what can be deduced from the output itself. Nevertheless, as already mentioned, general secure computation methods immediately give a way to achieve the same (optimal) level of accuracy in distributed differentially-private protocols as the best achievable accuracy in the client-server setting. By relying completely on oblivious transfer for secure computation [Kil88], our results show that the reverse is true as well (at least for the differentially private evaluation of any two-party